On 17 December 2024, the Office of the Australian Information Commissioner (OAIC) accepted an enforceable undertaking from Meta Platforms, Inc. (Meta) (formerly Facebook). Meta agreed to a $50 million settlement to resolve allegations of breaching the Privacy Act 1988 (Cth) (Privacy Act) in relation to the Cambridge Analytica incident. The settlement represents the largest payment in Australia aimed at addressing privacy concerns, and is intended to compensate Australian Facebook users whose data was improperly accessed.

Australian Information Commissioner Elizabeth Tydd commented:

"The payment scheme is a significant amount that demonstrates that all entities operating in Australia must be transparent and accountable in the way they handle personal information, in accordance with their obligations under Australian privacy law, and give users reasonable choice and control about how their personal information is used."

Meta provided the enforceable undertaking on a without prejudice basis and without any admission of liability, meaning there has been no finding that Meta breached the Privacy Act or the Australian Privacy Principles (APPs). The undertaking also led to the discontinuance of the Federal Court of Australia

Proceeding No NSD 246 of 2020 (Civil Penalty Proceedings), which had been initiated by the OAIC against Meta.

The Cambridge Analytica incident has significantly heightened public awareness about data privacy and the potential misuse of personal information by social media platforms. This incident has also led to increased scrutiny of these platforms and their data handling practices.

Recap: the Cambridge Analytica incident

About a decade ago, Facebook allegedly released the personal data of millions of Facebook users worldwide, including over 300,000 Australians. Doctor Aleksandr Kogan, a professor at Cambridge University, developed a third-party application called This is Your Digital Life (App). Using Facebook's Graph API, the App collected data not only from users who installed it but also from their Facebook friends. The data collected was allegedly transferred to Cambridge Analytica, a British data analytics firm, and its parent company, Strategic Communication Laboratories, in violation of Facebook's terms of service. Cambridge Analytica claimed to have used the data collected from the Facebook users for political advertising during the 2016 US presidential election.

OAIC's investigation

In April 2018, the OAIC began investigating Meta's data handling practices in response to the Cambridge Analytica incident. As a result of this investigation, the OAIC initiated the Civil Penalty Proceedings against Meta. The investigation and proceedings revealed significant concerns regarding the protection of Australian Facebook users' personal information during 2013 to 2015. It was suggested that Meta and Meta Platforms Ireland may have violated section 13G of the Privacy Act through serious or repeated breaches of APPs 6.1 and 11.1.

During the period the App was available to Facebook users, the OAIC alleged that approximately:

• 53 Facebook users located in Australia installed the App; and
• 311,074 Facebook users located in Australia could have had their personal information requested by the App as friends of those who installed it.

Meta offered the enforceable undertaking under section 114 of the Regulatory Powers (Standard Provisions) Act 2014 (Cth) to address the OAIC’s concerns and establish a compensation scheme for eligible Facebook users whose personal information may have been compromised in the Cambridge Analytica incident.

Compensation scheme for affected Facebook users

The compensation scheme is available to individuals who:

• held a Facebook account between 2 November 2013 and 17 December 2015;
• were present in Australia for more than 30 days during that period; and
• either installed the App or were Facebook friends with an individual who installed the App.

The compensation scheme will consists of two classes. The first class will offer specific payments to those who can demonstrate they have incurred economic and/or non-economic loss or damage. The second class will allow individuals to apply for payment if they believe they experienced a generalised concern or embarrassment.

Applications for compensation are expected to open in the second quarter of 2025.

Regulatory and legal action in the US and UK

United States

In 2019, the Federal Trade Commission (FTC) fined Meta $5 billion, which was primarily related to violations of a 2012 FTC order, but was brought to light by the Cambridge Analytica incident. The fine also addressed broader issues with Facebook's privacy practices, including deceptive disclosures and settings that undermined users' privacy preferences.

Meta has also been the subject of two class actions in the US. In 2023, Meta reached a $725 million privacy settlement with American Facebook users. More recently, in November 2024, the US Supreme Court allowed the multibillion-dollar class action lawsuit against Meta to proceed. Investors allege that Meta did not fully disclose the risks of user data misuse by Cambridge Analytica. This action led to a significant fall in the company's share price in 2018.

United Kingdom

In 2019, Meta agreed to pay a £500,000 fine (with no admission of liability) to the UK Information Commissioner's Office in relation to the Cambridge Analytica incident.

Learning lessons for organisations

Our top three learnings from the Cambridge Analytica incident and the subsequent OAIC investigation are as follows:

• Robust data protection and monitoring: one of the major issues in the Cambridge Analytica incident appeared to be the insufficient resources applied by Meta to monitor third party applications that collected and shared data. Organisations should implement robust data protection measures and continuously monitor third party applications to ensure compliance with Australian privacy laws.
• Transparency and user consent: the Cambridge Analytica incident underscores the need for transparency in data collection and usage. Organisations must ensure that users are fully informed about how their data will be used (a requirement under the APPs). Best practice dictates that an organisation should obtain consent if they plan to share their users’ data with third party applications.
• Ethical data use: the ethical use of data is paramount. Organisations should establish and adhere to ethical guidelines for data usage, ensuring that data is used in ways that respect user privacy and do not exploit their personal information.

Increased global scrutiny of social media platforms' data protection and privacy practices

In response to events like the Cambridge Analytica incident, enforcement bodies worldwide are intensifying their efforts to address data privacy issues. The General Data Protection Regulation (GDPR), which came into effect in 2018, has significantly increased scrutiny on data handling practices. Meta has faced investigations involving unauthorized access to user data and has been fined for various privacy violations, including a record €1.2 billion fine in 2023 for transferring EU user data to the US.

In October 2024, the Irish Data Protection Commission fined LinkedIn €310 million for GDPR violations involving the processing of personal data for behavioural analysis and targeted advertising.

In the US, the FTC released a detailed report in September 2024, revealing how social media platforms like Facebook, TikTok, and YouTube collect and monetise vast amounts of personal data. The report emphasized that users often remain unaware of the extent of data collected and the sharing of their information with third parties.

In Australia, there is a growing emphasis on Privacy Act enforcement to ensure stronger privacy protections. During last year's Privacy Awareness Week, Privacy Commissioner Carly Kind's keynote address at the IAPP Sydney KnowledgeNet event, emphasised the OAIC’s shift towards becoming "a more enforcement-focused regulator, with a range of new enforcement powers at [its] fingertips" With this enhanced enforcement approach, Australian organisations are under increasing pressure to prioritise privacy compliance and adopt robust data handling practices.

Looking ahead

The OAIC's action against Meta marks a significant enforcement milestone in Australia, and reflects the global focus on data handling practices and privacy violations, particularly in relation to social media platforms. As enforcement action intensifies, organisations must proactively assess their privacy frameworks, strengthen their risk management strategies, and ensure they can withstand regulatory scrutiny, in an era of increased governmental and consumer oversight.

MinterEllison provides full-service IT legal and consultancy services with extensive experience in privacy, data protection and software and IT service procurement.

Please contact us if you would like assistance in managing your privacy compliance.